Two-Factor Authentication

(or How to Keep Your Facebook Account from Getting Hacked)

It seems that not a month goes by without one of my Facebook friends posting something like, “If you see a video from me, don’t click on it. My account was hacked.” We live in dangerous times — Sony and Equifax and so many other systems are compromised — but there are fairly easy tools we can use to at least make the bad guys’ lives harder. One of them is two-factor authentication.

A Password is Not Enough

Passwords are a venerable computer security measure, but they have their limitations. Whether your password is long or short, simple or complex, computers can run through many possible passwords in a second and “brute force” their way into your account. Enter multi-factor authentication.

Authentication is the process of proving to a computer system that you are who you say you are and reasonably secure systems require more than just a password to authenticate users. Each thing you must provide to the system to prove your identity is called a “factor,” thus multi-factor authentication requires a password and something else. A common combination is “something you know and something you have.” You know your password but what do you have that Facebook (or Twitter or your bank) knows about? We all have our phones!

A common — though imperfect — implementation for two-factor authentication (2FA) is to tell the system or website your phone number. When you log in with your password, the system sends you a text message with a unique code, for only one use, which you then enter into the system or site. The site now knows that (1) you know your password, and (2) you have your phone and can reasonably believe you are who you claim you are.

That can get a bit tedious so there is often another step. After you enter the code, you can tell the site, “Remember this computer is mine, too.” The next time you log in, you provide your password and your computer provides something tied to that earlier login. Now the site knows that (1) you know your password, and (2) you have the computer you previously said is yours. Of course, when you get a new computer, borrow a friend’s, or go to an Internet cafe, the site doesn’t recognize the computer and you get a text message. More importantly, when a bad guy in Elbonia guesses your password, you get a text message, too, and he doesn’t get to hack your account!

Go set up 2FA on all your social media sites. Do it now. You can thank me later.

Resources

Here’s how to set up two-factor authentication on several popular sites.

Amazon: https://www.amazon.com/gp/help/customer/display.html?nodeId=201962420

Facebook: https://www.facebook.com/help/148233965247823

Twitter: https://help.twitter.com/en/managing-your-account/two-factor-authentication